Automating Network Security Profiles Vivek Kashyap Senior - - PowerPoint PPT Presentation

Automating Network Security Profiles

Vivek Kashyap Senior Technical Staff Member Linux Technology Center IBM

vivk@us.ibm.com Linux Collaboration Summit, 2011 2

Cloud

Interface Cloud Controller Domain-1 Control Domain-N Control Domain 1 Host 1 Host 2 Host 3 Domain n Host 1 Host 2 Host 3

Virtualization Compute Storage Memory Network Application Operating System Image Virtual Server Virtual Server Virtual Server Application Operating System Image Application Operating System Image

• Multiple images deployed on physical nodes in the DataCenter/Cloud
• Network isolation a must for a viable multi-tenant solution
• Collaborative applications may be on same virtual network

Image repository

vivk@us.ibm.com Linux Collaboration Summit, 2011

Network View

VM Switch Switch VM VM VM VM Virtual Switch VM VM VM Switch VM Virtual Switch VM VM VM Server External Network External Network Port Profile Domain Edge Port Definition

• DataCenter consists of large number of physical and virtual switches

─

Applications with different network profiles

• Host vswitch provides guest-guest switching, filtering, bandwidth control

─

Error-prone managing large deployments

─

Virtual switch is not integrated with network fabric management

>

inconsistencies and manual verification

• For load-balancing, resiliency the KVM guests are mobile

─

Network policies must continue to be applied to the KVM guest workload

>

Manually ensure target are correctly configured to support network profiles

>

Physical port security/profiles need to be re-programmed with mobility

vivk@us.ibm.com Linux Collaboration Summit, 2011 4

Linux Virtual Networking

VM VM VM

…

VEB PCIe IOV Enet Port

PF VF VF

:

VF

VEB PCIe Adapter

F

Enet Port VM VM VM

…

VM VM VM

… Linux/KVM

VEB

Adjacent Switch

*Packet switching and

filtering function

* * * *

vivk@us.ibm.com Linux Collaboration Summit, 2011 5

Automating Physical/Virtual Switching

Edge Virtual Bridging: IEEE 802.1Qbg

• Offload switching function to external

bridge

─

VM's virtual interface directly tied to physical switch port policies

─

Simplified VEPA (Virtual Ethernet Port Aggregator) bridging in hypervisor to send all packets to adjacent bridge.

>

Provides packet replication of inbound frames.

─

Physical switch port put in 'reflective relay' mode

>

Sends packets back over same port

• Con: Introduces limited latency

VM VM VM VEPA

…

PCIe Adapter

F

Enet Port VM VM VM

…

VM VM VM

… Linux/KVM

VEB

Adjacent Switch

* *

PCIe Adapter

F

Enet Port

Port in Reflective Relay Mode VEPA: Virtual Ethernet Port Aggregator VEB: Virtual Ethernet Bridge (or, Linux bridge)

vivk@us.ibm.com Linux Collaboration Summit, 2011 6

How Does it Work?

• The network profile

– Used by one or more VMs – Unique id – Stored in database

• Switch advertises 802.1Qbg support
• Linux/KVM host receives

advertisement

– Configures switch port in VEPA (hairpin_mode) – Offloads switching function

• Linux/KVM sends to switch

– unique id of network profile – MAC/VLAN information

• Switch retrieves profile

– Enforces bandwidth, Access controls

VM Switch Switch vSwitch (a.k.a. VEB) VMVMVM VM VEB VMVMVM Switch VM VEPA VMVM VM External Network External Network Port Profile Database Domain Edge Port Definition

vivk@us.ibm.com Linux Collaboration Summit, 2011 7

Linux host

VSI Discovery and Configuration Protocol (VDP) associate Create new VM’s network state (i.e. MAC Address, VLAN ID, VSI state*)

VSI Type Database

System Admin Network Admin Query available VSI types Obtain a VSI instance

Server

Switch (a.k.a. Bridge)

LLDPAD EDP/VDP User Space Daemon VM Apps VM Apps

Network (VSI Type) Manager Create set

• f VSI

Types

2

KVM with VEPA

5

L2 net(s)

System Manager

3

*VSI state consists of the following: VSI Manager ID, VSI Instance ID, VSI Type ID, VSI Type Version. Request creation

• f VM. Send VSI

state*, MAC address, VLAN id.

4

VM begins communication, through KVM VEPA

8

Libvirt CIM Libvirt

Load VSI Type

6 7

On success from step 5, libvirt instantiates and starts the VM

Creating a KVM Guest

vivk@us.ibm.com Linux Collaboration Summit, 2011 8

Simple extension to libvirt

• The VSI state is specified using the following domain XML extension

<interface type='direct'/> <source dev='device name' mode='vepa' /> <model type='virtio'/> <virtualport type='802.1Qbg'> <parameters managerid='12' typeid='0x123456' typeidversion='1' instanceid='insert-uuid-here' /> </virtualport> </interface>

• Libvirt parses 'virtualport type'

─

Sends netlink message with 'ASSOCIATE' request to LLDPAD

─

LLDPAD sends ASSOCIATE VDP message

─

Returns success or failure

─

On success KVM guest is created

vivk@us.ibm.com Linux Collaboration Summit, 2011 9

VSI Type Database

System Admin migrate VM Pre-Associate to server’s virtualization infrastructure

Target Server

Switch (a.k.a. Bridge)

VM Apps VM Apps

VSI Manager VM Manager

VEB or VEPA

1 2

VDP Pre-Associate with Resource Reservation Retrieve VSI Information

L2 net(s)

Source Server

Switch (a.k.a. Bridge)

VM Apps VM Apps

VEB or VEPA

5

Move to VDP Pre-Associate state Push VM Move

3

Associate & Start-up VM

4 6

VDP Associate

7

VM is brought

• n-line after VDP

completes

Migration Steps

8

After target VM up, De- Associate and terminate VM

vivk@us.ibm.com Linux Collaboration Summit, 2011 10

Automatic Host based Virtual Switching

• Host vswitch

─

Linux bridge + ebtables/iptables + tc

─

OpenVswitch (not in mainline)

• Administrative simplification: Associate filter rules to Virtual machines

─

Rules enforced in the kernel when guest started

─

Rules torn down when the guest is terminated

─

Rules may be modified at runtime

─

Rules may contain macros which get instantiated at runtime

>

IP Address, MAC address , more possible

» DHCP Snooping/first packet to determine IP Address

vivk@us.ibm.com Linux Collaboration Summit, 2011 11

Example Filter

This filter may now be referenced with any guest by adding to the 'interface' element in the guest domain:

<filter name='no-ip-spoofing' chain='ipv4'> <uuid>fce8ae33-e69e-83bf-262e-30786c1f8072</uuid> <rule action='drop' direction='out' priority='500'> <ip match='no' srcipaddr='$IP'/> </rule> </filter> <interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source bridge='br1'/> <ip address=$IP/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='no-ip-spoofing'/> </interface>

vivk@us.ibm.com Linux Collaboration Summit, 2011 12

Status

• Linux 2.6.34 onwards

─

VEPA mode (for IEEE 802.1Qbg support)

─

Bridging between virtual interfaces

─

Vhost-net interface for Qemu

─

GSO/GRO acceleration for macvtap

• Libvirt 0.8.7 (http://libvirt.org/formatnwfilter.html)

─

VEPA and VSI support

>

Netlink notifications for VDP protocol (to LLDPAD)

─

Support for host based filter rules

• LLDPAD:

─

Version lldpad 0.9.41 (open-lldp.org)

>

EVB TLVs, ECP/VDP

• Libvirt-CIM: 0.5.12

─

Support for specifying VEPA, VSI state

vivk@us.ibm.com Linux Collaboration Summit, 2011

VM VM VM VM vSwitch L2 net(s) VM Edge Switch Edge Server Edge

A peek into the Future: Network Profile Automation

Port Profile Database

VM Manager

Query available port profile types

3

1 2

4

Push VM & vPort Configuration to VM Host vPort Discovery Retrieve Port Configuration

IEEE 802.1Qbg protocol support Port Profile DB Schema DB Client Interface DB-to-switch Interface

A B C D

Linux/KVM:

• CIM provider (libvirt-CIM)
• r direct libvirt interface
• Based on host capabilities

and domain policy:

• Create ACL rules utilizing

the linux virtualization library(libvirt)

• r
• Create/use existing VSI

profile to impose on the guest

Image library OVF

Network extensions

• Include filters in the Virtual Machine meta-data (e.g. in the OVF)
• Filters takes macros, that are instantiated at deployment (as shown with libvirt)
• Management tooling uses it to create libvirt rules or vis data profiles

vivk@us.ibm.com Linux Collaboration Summit, 2011 14

Legal Statement

This work represents the view of the author and does not necessarily represent the view of IBM. IBM is a registered trademark of International Business Machines Corporation in the United States and/or other countries. UNIX is a registered trademark of The Open Group in the United States and

• ther countries .

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others.

vivk@us.ibm.com Linux Collaboration Summit, 2011 15

Questions?

vivk@us.ibm.com Linux Collaboration Summit, 2011 16

802.1Qbg Protocols

• External Virtual Bridging protocol (EVB) uses LLDP as transport

─

Defines locus of VM to VM switching

>

Set VEPA or Bridge mode

• Channel Discovery and Configuration Protocol (CDCP) [Not Implemented]

─

Virtualize the physical link to simultaneously support multiple VEPA/VEB components

• Edge Control Protocol (ECP)

─

ECP provides a reliable, acknowledged protocol for VDP rather than using LLDP.

• Virtual Station Interface (VSI) Discovery Protoco(VDP)

─

Associate and De-associate interface MAC/VLAN to port profile

For specification go to: IEEE 802.1Qbg version 0 Specification

vivk@us.ibm.com Linux Collaboration Summit, 2011 17

Linux host LLDPAD EDP/VDP User Space Daemon libvirt- CIM Libvirt

VSI Discovery and Configuration Protocol (VDP) deassociate

Server

Switch (a.k.a. Bridge)

VM Apps VM Apps

KVM with VEPA

2

L2 net(s)

3

VM is destroyed Virsh -c qemu:///system shutdown <kvm_guest>

1

Destroy Guest

vivk@us.ibm.com Linux Collaboration Summit, 2011 18

Linux KVM Components

VSI Profile Database

Switch (a.k.a. Bridge)

LLDPAD ECP/VDP User Space Daemon VM VM Apps

L2 net(s)

Management Entity

*VSI state consists of the following: VSI Manager ID, VSI Instance ID, VSI Type ID, VSI Type Version.

Libvirt-CIM Provider Libvirt

• Enablement of 'macvtap'
• Linux virtualization library

framework (libvirt)

• Configure interfaces in VEPA or

VEB (Bridge)Mode

• Enforce ACLs on the VEB virtual

port

• Support for creation, destroy and

migration of KVM guests (VM)

• Trigger of IEEE 802.1Qbg protocols

with KVM guest life-cycle events

• 802.1Qbg protocols implemented

in LLDPAD daemon

─

VDP : VSI Discovery Protocol

─

ECP: Edge Control Protocol

─

LLDP extensions for switch mode (Ethernet Virtual Bridging TLVs)

KVM with VEPA/VEB

Apps

VSI: Virtual station interface (a.k.a virtual interface or vNIC)

vivk@us.ibm.com Linux Collaboration Summit, 2011 19

MACVTAP: VEPA interface

• Goal: Share a single Ethernet NIC between KVM guest interfaces with no

bridging function except replication of incoming multicast/broadcast packets

• Implementation:

─

Utilize existing 'macvlan' driver already supported in Linux

─

Create a 'macvtap' device driver that plugs into a macvlan driver to interface to KVM guest

>

Macvtap driver implements tun/tap-like interface

>

Frames sent from guest put directly into queue of outbound interface

>

Frames received put in guests receive path

vivk@us.ibm.com Linux Collaboration Summit, 2011 20

Libvirt: VEPA interface

• Macvtap is tied specifically to an interface that provides uplink

connectivity

• Define it in guest's domain xml as:

<interface type='direct'/>

<source dev='device name' mode='vepa' /> <model type='virtio'/>

</interface>

─

Additional modes defined: bridge and pepa

• Libvirt creates (and destroys) macvtap devices

─

Passes macvtap file-descriptor to QEMU (similar to the case with tap interface)

─

AF_NETLINK socket to create (and destroy) macvtap interface